[squid-announce] Squid 4.0.21 beta is available

[squid-announce] Squid 4.0.21 beta is available

The Squid HTTP Proxy team is very pleased to announce the availability
of the Squid-4.0.21 release!

This release is a bug fix release resolving several issues found in the
prior Squid releases.

The major changes to be aware of:

* Regression Bug 4492: Chunk extension parser is too pedantic

With this fix Squid is back to ignoring some unusual message whitespace
padding that senders should not have been doing, but which are generally
harmless to the protocol. It is a regression specific to the Squid-4
release series, not affecting any other installations.

* Bug 1961 partial: Redesign urlParse API

The core changes for redesign work is largely finished now. As a result
this release should have much lower memory use on url_rewrite API
lookups which choose not to rewrite the URL.

* Collapse security_file_certgen requests

This helper API now collapses identical parallel lookups into a single
helper message to reduce load, latency and as a result reduce pressure
on the system crypto services. It still has some issues, but should now
cope a lot better with sudden load peaks as seen from Browsers starting up.

* SSL-Bump: tproxy does not spoof spliced connections

This release now performs TPROXY spoofing properly when SSL-Bump logic
selects splice action. Prior SSL-Bump would behave as if NAT intercept
was being used, by replacing the sender IP as Squid one.

* Add a basic apparmour profile

This release bundles a basic apparmour profile contributed by Ubuntu
developers. As with init system scripts this profile is not installed by
default, packagers wishing to use it should pull the file from the
sources during packaging.

Several major bug fixes shared with the future Squid-3.5.27 release are
also worth mentioning:

The security fix for CVE-2016-10003 had a negative effect on collapsed
forwarding. All "private" entries were considered automatically
non-shareable among collapsed clients. However this is not true: there
are many situations when collapsed forwarding should work despite of
"private" (non-cacheable) entry status: 304/5xx responses are good
examples of that.

This release adds a mechanism to mark some non-cached responses as being
able to share with collapsed forwarding.

These changes also involved fixing incorrect delivery of 304 responses
to a client when Squid was the agent performing revalidation instead of
the client.

* Bug 4112: ssl_engine does not accept cryptodev

This directive has been broken for quite a long time, failing to
recognize any of the default OpenSSL engines. This release restores
support for the OpenSSL engines feature.

* Fix SMP query handoff to Coordinator.

Several issues related to SMP messages to the coordinator process have
been fixed. Some of these are likely to have been resulting in hung
connections for SNMP and mgr transactions. Others were resulting in
garbage messages arriving at the coordinator.

All users of Squid-4.x are encouraged to upgrade to this release as
soon as possible.

All users of Squid-3 are encouraged to test this release out and plan
for upgrades where possible.

See the ChangeLog for the full list of changes in this and earlier
releases.